Project Demo
The original files are as follows:
We run the ransomware executable and reopen the files to confirm encryption, as can be seen below:
This illustrates the success of our Ransomware program.
Infection
Because Email Servers do not support the sending of executables, there are multiple other methods to encrypt the files in the system, including:
1. Enhancing the ransomware to exploit most common unpatched vulnerabilities as well as encryption, hence it becomes self-propagating on the network. If the victim’s computer remains unpatched to the vulnerability, it will be infected.
2. Sending a dropper to the victim system, e.g., by using excel and VBS scripts. Once the file is opened, the dropper downloads ransomware onto the victim’s system.
3. Sending a phishing email redirecting a victim to a website with a legitimate product that has been modified to include the ransomware, e.g., free MS Word installation, which does install Office but installs ransomware as well.
4. If physical access to the victim is possible, social engineering would be used to draw the victim away from the computer, then plug in a flash drive with ransomware and begin to execute it manually.
5. Sending a phishing email to a user redirecting him/her to a website loaded with a script to download the ransomware onto the victim’s computer automatically.
Attack
The ransomware encrypts files by:
1. Generating a random session key that is 16 bytes long
2. Using a 3072-bit RSA key to encrypt a session key. This complicates decryption even further as the security level offered by 3072-bit RSA is 128 bits, ensuring a brute force attempt at decryption would take an incredibly long time.
3. The session key is used to encrypt the file in EAX mode to ensure that if any modification is done to the file, then decryption will fail completely
4. Finally, the original file is overwritten using the encrypted session key, public key, and the encrypted text
5. For debugging purposes, a message of success is also printed onto the console.
Every file passed to the encrypted program would be encrypted using this function, making the data inaccessible completely.
The program also ensures that every file in the system is encrypted by using a special scanning function that recursively identifies every file in the system beginning from any top directory provided.
In Windows, this would normally be one of the essential drives where the operating system is installed, including C:/, D:/ etc. In Linux, the top directory would be /
The yield statement in the function simply pauses the function execution and returns that specific item. Execution of the function the next time it is called will start from there.
The program, once loaded onto the victim machine, could be run through various methods:
1. The victim could run the ransomware by himself/herself thinking it is a legitimate software
2. The attacker could manually launch the ransomware at the time of choosing, provided they have access to the victim’s computer if uploaded via USB.
3. The attacker could launch the program remotely if they can establish remote access to the computer being affected.
4. The ransomware could be run automatically as a Cron Job or task in Windows Task Scheduler. This would enable the ransomware to run at a time when it would cause the least disturbance in the system
5. If the program is embedded within legitimate software, it would also be launched at the same time as the software is being launched hence beginning the encryption process.
Backups of files can also be deleted by the following methods:
1. Augmenting the ransomware to search for shadow files and delete them
2. The attacker could hack a backup software API and encrypt existing backups for the company.
3. The ransomware could begin by infecting data without full-on encryption. Still, after some time, it would encrypt all files in both the backup destination and current destination, making recovery challenging. In this situation, the execution of ransomware would be delayed to a much further date. This method also makes determining the point and timeline of infection very difficult for the incident response team.
4. The attacker could manually probe the network for backup shares and directories and encrypt files found here using the ransomware program. This is caused by the fact that multiple corporate networks are designed in a way that enables files to be accessed via shares for ease of access.
5. The ransomware could search for common file extensions used with backup files on the local system, including .bak among others. These files would then proceed to be deleted or encrypted, or their data corrupted by attackers.
6. In case backups are done using cron jobs or tasks on Windows Task Scheduler, then further enumeration of this data could be done by the attacker. If the files are accessible from the revealed location of these tasks, then they could be corrupted or deleted manually. In case of access is not allowed, further enumeration of the system where backups are stored could be done to establish if an entry point is possible
Detection
There can be various methods used to detect ransomware on any system, including:
1. Static Analysis
Here, the application code is analyzed before execution, and if found to have malicious signatures, it will not be executed.
Signatures are normally compared to malicious code patterns deposited in a central repository by Antivirus Vendors and various security teams.
This method is also known as Signature based analysis.
Ransomware can evade this method by stripping any identifiable information or encoding it differently to generate a new signature that has not yet been recorded in the central repository.
2. Dynamic Analysis
Here, the program is executed in a sandboxed environment to observe how it executes. If it is found to have malicious properties, i.e., calling IP addresses associated with malicious actors or using up multiple system resources, it is flagged. It will not execute in the main operating system
This method is also known as Behavioral-based analysis.
Ransomware can typically evade this type of analysis by adding functionality to check the environment it is running in. If it is a sandboxed environment, some features of the ransomware will not run as they would normally.
3. Heuristic Analysis
It is a type of dynamic analysis where the program does not depend on only signatures to catch malicious programs but also unusual behavior. This would include large amounts of traffic, heavy load on the Operating System, or interaction with APIs commonly associated with malware.
Anomalous file activity, such as failures accessing multiple files and increased disk and CPU activity without any clear, decipherable reason, would also trigger this type of analysis.
Any program with these heuristics will not be allowed to execute on the main operating system.
Ransomware typically evades this by hardcoding delays to mimic regular processes and programs in the operating system. This would ensure it does not trigger such kind of security features.
Monitoring
Machines in the network can be monitored in various ways to detect malware or ransomware by:
1. Using honeypots
Honeypots are decoys with fake files that appear to be very real to an attacker. They enable the organization to detect the ransomware early on and isolate the infected machine before it spreads across the network.
2. Using antivirus and software solutions
They include anti-ransomware tools, antiviruses, and well Endpoint Detection and Response (EDR) solutions that alert you to the threats early enough to ensure adequate action can be taken in a reasonable amount of time.
3. Checking email content
Email settings would be set to parse text for suspicious content and report them as spam. This can be done using various machine-learning methods.
Disallowing specific attachments would also make it harder to infect the victim machine, e.g., executables.
This would enable phishing to become much more difficult hence reducing the chances of unsuspecting people downloading ransomware onto their machines.
Mitigation
Mitigation can be very important even before being infected by ransomware and can be done in the following ways:
1. Utilizing a zero-trust policy to ensure ransomware does not spread to the whole network by limiting the interactivity of devices.
2. Using multifactor authentication to make it harder for ransomware to propagate in the network using the only method of authentication
3. Education on best cybersecurity practices, especially phishing, with emphasis on security as an individual responsibility.
4. Keeping the Disaster Recovery Plan or the Incident Response plan up to date and following prescribed industry standards.
5. Using honeypots and other technological mechanisms to ensure early detection of ransomware in the network. These devices would then be isolated from the network to prevent further infection
6. Regular threat hunting and cleanups to identify and completely remove any malware on the network, including ransomware.
7. Updating systems regularly to mitigate ransomware spreading through unpatched vulnerabilities
8. Updating and using antivirus, anti-ransomware tools, and other software solutions that assist in recovery and early detection. This would also include EDR and XDR tools as well as secure web gateways.
9. Regular backups using versioning control and the 3–2–1 rule (three backup copies on 2 different media with one backup stored in a separate location). Backups should also be stored on the cloud. Redundancy is very important.
MISCELLANEOUS
Downloaded files for the ransomware could be kept hidden by:
1. Keeping the ransomware among temporary folders in the system
2. Keeping the ransomware in Windows Registry keys to ensure it’s launched with the Operating System.
3. Identifiable information, such as file headers and file extensions for the ransomware, could be stripped to prevent trivial detection by code inspection.
4. The ransomware would have heuristics that would mimic a regular program hence avoiding as much heuristic detection as possible.
5. Signatures of the ransomware could be obfuscated to evade signature-based detection
6. The ransomware, if possible, could run as a process in memory, limiting its chances of detection
7. Keeping the ransomware among critical files in the system, i.e., /bin in Windows and SYSTEM in Windows.
The code for this project can be found at: